[OpenAFS] Hardware Grants from Sun

Douglas E. Engert deengert@anl.gov
Fri, 23 Feb 2007 12:03:58 -0600

Jeffrey Hutzelman wrote:
> On Friday, February 23, 2007 09:23:21 AM -0600 "Douglas E. Engert" 
> <deengert@anl.gov> wrote:
>> So getting 100,000 in equipment is only part of it. If you are
>> willing to state a desire to taget OpenSolaris, Sun should be willing
>> to state a desire to integration of AFS credential handling
>> in there products too, like ssh delegation of credentials to get
>> AFS tokens, and having home directories in AFS.
> Doug, it's worth noting that the sorts of people who can give away 
> equipment often have little or no control over things like operating 
> system development, and asking for such things is at best useless. 

But it is worth asking, to make sure even within Sun one hand knows
what the other is doing.

> On the other hand, we have plenty of contacts within Sun to help us with 
> issues like this, and OpenSolaris, like OpenAFS, is an open-source 
> software project in which any of us can participate.

Yes, I know many of them...  and have Bcc'ed Nico and Willys on this note.

> Incidentally, it should be noted that Sun's ssh supports GSS-API 
> userauth and key exchange out of the box, including credential 
> delegation, and that its PAM support is considerably better than that of 
> OpenSSH. 

Yes as you must already know we are using the Solaris 10 ssh and sshd, and 
Solaris Kerberos with great success, but its not perfect. Sun insists on
using the default ticket cache for a user: krb5cc_<uid>  rather then a
session based cache for each sshd session.  They also insist on updating
only the TGT in a cache when it is acquired, rather then discarding
all the other tickets, so they will be re obtained using the
new TGT. This has implications for aklog, as it can end up using
a ticket that will expire a lot sooner then expected. It also has
implications after a screen unlock. You also donm't want
one session deleting the cache!

I have expressed my concerns to Nico on these issues over the years.

So to force sshd to use a session based cache we added a
"pam_krb5_cache.so.1 cache=/tmp/krb5cc_%u_%p" to set the cache name.

We also are using tha pam_afs2.so to get the PAG and token.

Also as you must already know, I have bee bugging them to
release the Kerberos header files for Solaris 10, so one could
compile *aklog* using the Solaris Kerberos. (This is reported to be
in "update 4". looks like this might be another 6 months!)
We have ben using OpenSolaris Kerberos header files with Solaris 10,
and so far it works.

> As for home directories; we've been putting users' home 
> directories in AFS for O(15) years, though we only appear to have been 
> supporting Solaris since 1995. If you have specific issues, please 
> describe them instead of asking that Sun be "willing to state a desire" 
> for things to work that already do.

There are still issues with having to have an AFS token before any
files in the home directory are accessed, even the .k5login. Since this
is a general OS problem.

The point is things don't work as well as they could, partly because the
OS developers don't use AFS. This "acceptance of a "gift" might be the
time to get Sun to look a little closer at how things really work.

> -- Jeff


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444